ANSI: Know The Impact Of A Breach Before It Occurs

As adoption rates rise, health IT makes protected health information (PHI) available to more organizations and entities, increasing the likelihood of data being improperly disclosed, lost or stolen. Despite the risks and costs of a potential data breach, many healthcare executives aren’t doing enough to support their organizations’ security efforts, but researchers from the American National Standards Institute (ANSI) believe they’d do more if the far-reaching consequences of a breach were more clearly outlined.

“If healthcare industry leaders really understood the privacy expectations of their patients and customers and the repercussions and costs resulting from a PHI breach, as well as the advantages that increased security and HIPAA compliance could bring to their organizations, the return on investment (ROI) in strengthening their compliance programs would be far more attractive,” ANSI researchers wrote in a February report.

“Privacy and security programs would likely become a high priority if the healthcare industry more widely understood the increasing costs of class action lawsuits resulting from data breaches, not to mention the statistical probability that nearly all health organizations will experience an electronic data breach in the next few years,” the report continued.

To help healthcare organizations determine the source of security threats and the various costs of a data breach, ANSI researchers presented a five-step process, the PHI value estimator (PHIve), for evaluating the effectiveness of security measures and measuring the effects of a potential breach.

Researchers recommended that organizations first conduct a risk assessment for each “PHI home,” any organizational function or space, or any application, network, database or IT system that creates, maintains, stores, transmits or disposes of PHI.

After identifying and examining each PHI home, the second step of PHIve suggests giving each PHI home a score of one through five on a security readiness scale, with one meaning highly secure and five meaning unsecure.

The third step is to consider all of the reputational, financial, legal/regulatory, operational and clinical costs that could result from a breach of each PHI home that scored poorly on the security readiness scale, to determine the relevance of each cost to the practice and assign a relevance factor on a scale of 0 to one, with a score of one representing absolute relevance and a score of .5 representing somewhat relevant.

To determine the impact of each potential threat, the fourth step suggests multiplying each potential cost by its relevance factor to determine an adjusted cost and step five suggests adding up all of those adjusted costs to determine the total cost of a data breach to an organization.

The PHIve tool ANSI developed gives providers a reminder of potentially unconsidered costs, such as loss of current patients, loss of future business and legal costs resulting from lawsuits, as well as advice on where to look for threats and how to score them.

Researchers concluded that organizations should begin thinking about and preparing for breaches before they occur, and recommended the ANSI PHIve evaluation method to make accurate estimates of costs resulting from breaches.

“Preventing or detecting a breach requires effective policies, procedures and technologies in place,” they concluded. “It is important to gain executive support and develop a good business plan to secure sufficient resources for execution. While it is impossible to eliminate all risks, many can be mitigated in order to reduce the likelihood and impact of a breach, and to ensure ethical and legal requirements are met. Recommendations for prioritized investments in an enhanced security program, resulting from conducting an organizational risk assessment, can be paid for by the reduced likelihood of a breach.”